njrat | b73dc9d5947dd389cbae282955568d35ae3a38acd24983b116cdd8eb7ef67155

General

Target

857aff9992a47764185c61da2493c753.exe
Size

407KB
MD5

857aff9992a47764185c61da2493c753
SHA1

6efa34cd3fdb299fcd940c0719d3a172bac83164
SHA256

b73dc9d5947dd389cbae282955568d35ae3a38acd24983b116cdd8eb7ef67155
SHA512

fbb2a5bfb068d4f56e338dc67f4d1a171af3156de2b3d956a0a1bd9526706f370cdff16cfb136049468b3a71db4c7ce99349265d3841db7775d5389b7aab798a

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

pedrobedoya2021.duckdns.org:1980

Mutex

cf13c225ff474d45b

Attributes

reg_key
cf13c225ff474d45b
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Suspicious use of SetThreadContext 1 IoCs

Processes:

857aff9992a47764185c61da2493c753.exe

description pid process target process

PID 1980 set thread context of 1884 1980 857aff9992a47764185c61da2493c753.exe 857aff9992a47764185c61da2493c753.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

857aff9992a47764185c61da2493c753.exepowershell.exe

pid process

1980 857aff9992a47764185c61da2493c753.exe
1980 857aff9992a47764185c61da2493c753.exe
988 powershell.exe
988 powershell.exe

description	pid	process	target process
PID 1980 set thread context of 1884	1980	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe

pid	process
1980	857aff9992a47764185c61da2493c753.exe
1980	857aff9992a47764185c61da2493c753.exe
988	powershell.exe
988	powershell.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

857aff9992a47764185c61da2493c753.exepowershell.exe857aff9992a47764185c61da2493c753.exe

description	pid	process
Token: SeDebugPrivilege	1980	857aff9992a47764185c61da2493c753.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	1884	857aff9992a47764185c61da2493c753.exe
Token: 33	1884	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	1884	857aff9992a47764185c61da2493c753.exe
Token: 33	1884	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	1884	857aff9992a47764185c61da2493c753.exe
Token: 33	1884	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	1884	857aff9992a47764185c61da2493c753.exe
Token: 33	1884	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	1884	857aff9992a47764185c61da2493c753.exe
Token: 33	1884	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	1884	857aff9992a47764185c61da2493c753.exe
Token: 33	1884	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	1884	857aff9992a47764185c61da2493c753.exe
Token: 33	1884	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	1884	857aff9992a47764185c61da2493c753.exe
Token: 33	1884	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	1884	857aff9992a47764185c61da2493c753.exe
Token: 33	1884	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	1884	857aff9992a47764185c61da2493c753.exe
Token: 33	1884	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	1884	857aff9992a47764185c61da2493c753.exe
Token: 33	1884	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	1884	857aff9992a47764185c61da2493c753.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

857aff9992a47764185c61da2493c753.exe

C:\Users\Admin\AppData\Local\Temp\857aff9992a47764185c61da2493c753.exe
"C:\Users\Admin\AppData\Local\Temp\857aff9992a47764185c61da2493c753.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\857aff9992a47764185c61da2493c753.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Users\Admin\AppData\Local\Temp\857aff9992a47764185c61da2493c753.exe
  "C:\Users\Admin\AppData\Local\Temp\857aff9992a47764185c61da2493c753.exe"
  2⤵
  PID:1748
- C:\Users\Admin\AppData\Local\Temp\857aff9992a47764185c61da2493c753.exe
  "C:\Users\Admin\AppData\Local\Temp\857aff9992a47764185c61da2493c753.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/988-73-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/988-86-0x00000000060E0000-0x00000000060E1000-memory.dmp

Filesize
4KB

Download
memory/988-110-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/988-109-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/988-74-0x0000000004972000-0x0000000004973000-memory.dmp

Filesize
4KB

Download
memory/988-65-0x0000000000000000-mapping.dmp

Download
memory/988-66-0x0000000076A01000-0x0000000076A03000-memory.dmp

Filesize
8KB

Download
memory/988-75-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/988-95-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/988-93-0x0000000006240000-0x0000000006241000-memory.dmp

Filesize
4KB

Download
memory/988-71-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/988-72-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/988-85-0x00000000060A0000-0x00000000060A1000-memory.dmp

Filesize
4KB

Download
memory/988-84-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/988-79-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/988-76-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/1884-67-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1884-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1884-94-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/1884-68-0x000000000040677E-mapping.dmp

Download
memory/1980-64-0x0000000000370000-0x000000000038F000-memory.dmp

Filesize
124KB

Download
memory/1980-62-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/1980-61-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1980-63-0x0000000004EF0000-0x0000000004F44000-memory.dmp

Filesize
336KB

Download
memory/1980-0-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 1980 wrote to memory of 988	1980	857aff9992a47764185c61da2493c753.exe	powershell.exe
PID 1980 wrote to memory of 988	1980	857aff9992a47764185c61da2493c753.exe	powershell.exe
PID 1980 wrote to memory of 988	1980	857aff9992a47764185c61da2493c753.exe	powershell.exe
PID 1980 wrote to memory of 988	1980	857aff9992a47764185c61da2493c753.exe	powershell.exe
PID 1980 wrote to memory of 1748	1980	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe
PID 1980 wrote to memory of 1748	1980	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe
PID 1980 wrote to memory of 1748	1980	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe
PID 1980 wrote to memory of 1748	1980	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe
PID 1980 wrote to memory of 1884	1980	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe
PID 1980 wrote to memory of 1884	1980	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe
PID 1980 wrote to memory of 1884	1980	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe
PID 1980 wrote to memory of 1884	1980	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe
PID 1980 wrote to memory of 1884	1980	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe
PID 1980 wrote to memory of 1884	1980	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe
PID 1980 wrote to memory of 1884	1980	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe
PID 1980 wrote to memory of 1884	1980	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe
PID 1980 wrote to memory of 1884	1980	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe

Analysis

Sharing